Winnti APT group docks in Sri Lanka for new campaign

In early August, the Malwarebytes Threat Intelligence team identified a new attack targeting government entities in Sri Lanka. The threat actors used multiple layers of protection and techniques to make analysis harder and hide their final payload.

However, based on tactic, techniques and procedures (TTPs) as well as code similarities we believe that this attack falls under the Winnti umbrella (also known as APT41). Winnti is a Chinese state-sponsored group that has conducted cyber espionage and financially motivated operations since 2012. Winnti remains active and its arsenal keeps growing as one of the most sophisticated groups nowadays. Sri Lanka’s location in South Asia is strategic for China as it has open access to the Indian Ocean and is close to India.

We identified several payloads being dropped in this campaign, including the famous KeyPlug malware but more interestingly, we found a new backdoor that we call DBoxAgent due to its use of Dropbox as a command and control server. We shared our initial findings with Dropbox who immediately took action to stop this malicious activity. We would like to thank the Dropbox threat intelligence team for their response.

Here are the highlights of our this investigation:

• To our knowledge, Winnti (a China-backed APT) is targeting Sri Lanka for the first time
• The attack time frame coincides with a major geopolitical event involving China and Sri Lanka
• The threat actors created a new backdoor and used Dropbox for their command and control infrastructure

Download the full report here.